Microsoft fixed RCE flaw in a driver used by Azure Synapse and Data Factory

Microsoft disclosed a now-fixed vulnerability in Azure Synapse and Azure Data Factory that could have allowed remote code execution.

Microsoft announced to have addressed a critical remote code execution flaw, tracked as CVE-2022-29972 and named SynLapse, affecting Azure Synapse and Azure Data Factory.

The vulnerability was discovered by researchers from Orca Security and resides in a third-party driver used in the above solution.

“The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole.” reads the advisory published by Microsoft. “The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant.”

A threat actor can exploit this flaw to acquire the Azure Data Factory service certificate and execute commands in another tenant’s Azure Data Factory Integration Runtimes.

Researchers at Orca Security speculate that the tenant separation is not sufficiently robust to prevent users from accessing sensitive data of other tenants, including Azure’s service keys, API tokens, and passwords to other services.

Experts discovered the SynLapse issue in January 4 and fixed it on April 15, below is video PoC of the exploitation of the issue. The video shows a “customer” uses Azure Synapse Analytics to store credentials to an external service (HTTP server in this example) and the attacker exploring the issue to access these credentials while executing code on the customer’s machine.

Azure Synapse Security Advisory – Orca Security

“We are going to hold off on publishing technical details of the exploits we have found until June 14, for two reasons. First, the vulnerabilities are also present in the on-premises version of Synapse, and this will provide Microsoft’s customers some additional time to deploy and remediate the existing mitigations in their on-premises environments.” wrote Orca Security.”Second, we believe that the technical details of the exploit will make it easier for attackers to find more open attack vectors, and the delay will allow time for organizations to reconsider their usage of Synapse.”

Below is the timeline for this vulnerability:

• January 4 – Orca reported the issue to Microsoft
• March 2 – Microsoft completed rollout of initial hotfix
• March 11 – Microsoft identified and notified customers affected by the researcher’s activity
• March 30 – Orca notified Microsoft of an additional attack path to the same vulnerability
• April 13 – Orca notified Microsoft of a second attack path to the same vulnerability
• April 15 – Additional fixes deployed for the two newly reported attack paths as well as additional defense in depth measures applied

Microsoft said that it has found no evidence of attacks exploiting this flaw in the wild..

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)

[adrotate banner=”5″]

[adrotate banner=”13″]